SHIBUI-2380

fixing issues with the oidc relying party overrides
TIER · Oct 21, 2022 · 03ca5bb · 03ca5bb
1 parent a2768fb
commit 03ca5bb
Show file tree

Hide file tree

Showing 9 changed files with 256 additions and 256 deletions.
diff --git a/...ain/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JsonSchemaBuilderService.groovy b/...ain/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JsonSchemaBuilderService.groovy
@@ -59,7 +59,7 @@ class JsonSchemaBuilderService {
                         [title       : it['displayName'],
                          description : it['helpText'],
                          type        : ((IRelyingPartyOverrideProperty)it).getTypeForUI(),
-                         default     : it['displayType'] == 'boolean' ? Boolean.getBoolean(it['defaultValue']) : it['defaultValue'],
+                         default     : it['displayType'] == 'boolean' ? Boolean.parseBoolean(it['defaultValue']) : it['defaultValue'],
                          examples    : it['examples']]
             }
             properties[(String) it['name']] = property

diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml
@@ -241,18 +241,18 @@ custom:
       defaultValue: CHAIN
       attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationMethod
       protocol: oidc
-    - name: accessTokenLifetime
+    - name: accessTokenLifetimeOauth
       attributeFriendlyName: accessTokenLifetime
-      displayName: label.accessTokenLifetime
-      helpText: tooltip.accessTokenLifetime
+      displayName: label.accessTokenLifetime.oauth
+      helpText: tooltip.accessTokenLifetime.oauth
       displayType: string
       defaultValue: PT10M
       attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenLifetime
       protocol: oidc
-    - name: accessTokenType
+    - name: accessTokenTypeOauth
       attributeFriendlyName: accessTokenType
-      displayName: label.accessTokenType
-      helpText: tooltip.accessTokenType
+      displayName: label.accessTokenType.oauth
+      helpText: tooltip.accessTokenType.oauth
       displayType: string
       attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenType
       protocol: oidc
@@ -285,10 +285,10 @@ custom:
       defaultValue: authorization_code, refresh_token
       attributeName: http://shibboleth.net/ns/profiles/oauth2/token/grantTypes
       protocol: oidc
-    - name: refreshTokenLifetime
+    - name: refreshTokenLifetimeOauth
       attributeFriendlyName: refreshTokenLifetime
-      displayName: label.refreshTokenLifetime
-      helpText: tooltip.refreshTokenLifetime
+      displayName: label.refreshTokenLifetime.oauth
+      helpText: tooltip.refreshTokenLifetime.oauth
       displayType: string
       defaultValue: PT2H
       attributeName: http://shibboleth.net/ns/profiles/oauth2/token/refreshTokenLifetime
@@ -298,53 +298,53 @@ custom:
       displayName: label.resolveAttributes.oauth
       helpText: tooltip.resolveAttributes.oauth
       displayType: boolean
-      defaultValue: TRUE
+      defaultValue: true
       attributeName: http://shibboleth.net/ns/profiles/oauth2/token/resolveAttributes
       protocol: oidc
     - name: authorizationCodeFlowEnabled
       attributeFriendlyName: authorizationCodeFlowEnabled
       displayName: label.authorizationCodeFlowEnabled
       helpText: tooltip.authorizationCodeFlowEnabled
       displayType: boolean
-      defaultValue: TRUE
+      defaultValue: true
       attributeName: http://shibboleth.net/ns/profiles/authorizationCodeFlowEnabled
       protocol: oidc
     - name: hybridFlowEnabled
       attributeFriendlyName: hybridFlowEnabled
       displayName: label.hybridFlowEnabled
       helpText: tooltip.hybridFlowEnabled
       displayType: boolean
-      defaultValue: TRUE
+      defaultValue: true
       attributeName: http://shibboleth.net/ns/profiles/hybridFlowEnabled
       protocol: oidc
     - name: implicitFlowEnabled
       attributeFriendlyName: implicitFlowEnabled
       displayName: label.implicitFlowEnabled
       helpText: tooltip.implicitFlowEnabled
       displayType: boolean
-      defaultValue: TRUE
+      defaultValue: true
       attributeName: http://shibboleth.net/ns/profiles/implicitFlowEnabled
       protocol: oidc
     - name: refreshTokensEnabled
       attributeFriendlyName: refreshTokensEnabled
       displayName: label.refreshTokensEnabled
       helpText: tooltip.refreshTokensEnabled
       displayType: boolean
-      defaultValue: TRUE
+      defaultValue: true
       attributeName: http://shibboleth.net/ns/profiles/refreshTokensEnabled
       protocol: oidc
-    - name: accessTokenLifetime
+    - name: accessTokenLifetimeOidc
       attributeFriendlyName: accessTokenLifetime
-      displayName: label.accessTokenLifetime
-      helpText: tooltip.accessTokenLifetime
+      displayName: label.accessTokenLifetime.oidc
+      helpText: tooltip.accessTokenLifetime.oidc
       displayType: string
       defaultValue: PT10M
       attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenLifetime
       protocol: oidc
-    - name: accessTokenType
+    - name: accessTokenTypeOidc
       attributeFriendlyName: accessTokenType
-      displayName: label.accessTokenType
-      helpText: tooltip.accessTokenType
+      displayName: label.accessTokenType.oidc
+      helpText: tooltip.accessTokenType.oidc
       displayType: string
       attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenType
       protocol: oidc
@@ -362,10 +362,10 @@ custom:
       displayType: boolean
       attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/allowPKCEPlain
       protocol: oidc
-    - name: alwaysIncludedAttributes
+    - name: alwaysIncludedAttributesBrowser
       attributeFriendlyName: alwaysIncludedAttributes
-      displayName: label.alwaysIncludedAttributes
-      helpText: tooltip.alwaysIncludedAttributes
+      displayName: label.alwaysIncludedAttributes.browser
+      helpText: tooltip.alwaysIncludedAttributes.browser
       displayType: string
       attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/alwaysIncludedAttributes
       protocol: oidc
@@ -377,10 +377,10 @@ custom:
       defaultValue: PT5M
       attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/authorizeCodeLifetime
       protocol: oidc
-    - name: deniedUserInfoAttributes
+    - name: deniedUserInfoAttributesBrowser
       attributeFriendlyName: deniedUserInfoAttributes
-      displayName: label.deniedUserInfoAttributes
-      helpText: tooltip.deniedUserInfoAttributes
+      displayName: label.deniedUserInfoAttributes.browser
+      helpText: tooltip.deniedUserInfoAttributes.browser
       displayType: string
       attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/deniedUserInfoAttributes
       protocol: oidc
@@ -420,18 +420,18 @@ custom:
       displayType: boolean
       attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/includeIssuerInResponse
       protocol: oidc
-    - name: refreshTokenLifetime
+    - name: refreshTokenLifetimeOidc
       attributeFriendlyName: refreshTokenLifetime
-      displayName: label.refreshTokenLifetime
-      helpText: tooltip.refreshTokenLifetime
+      displayName: label.refreshTokenLifetime.oidc
+      helpText: tooltip.refreshTokenLifetime.oidc
       displayType: string
       defaultValue: PT2H
       attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/refreshTokenLifetime
       protocol: oidc
-    - name: alwaysIncludedAttributes
+    - name: alwaysIncludedAttributesToken
       attributeFriendlyName: alwaysIncludedAttributes
-      displayName: label.alwaysIncludedAttributes
-      helpText: tooltip.alwaysIncludedAttributes
+      displayName: label.alwaysIncludedAttributes.token
+      helpText: tooltip.alwaysIncludedAttributes.token
       displayType: string
       attributeName: http://shibboleth.net/ns/profiles/oidc/token/alwaysIncludedAttributes
       protocol: oidc
@@ -440,7 +440,7 @@ custom:
       displayName: label.encryptionOptional
       helpText: tooltip.encryptionOptional
       displayType: boolean
-      defaultValue: TRUE
+      defaultValue: true
       attributeName: http://shibboleth.net/ns/profiles/oidc/token/encryptionOptional
       protocol: oidc
     - name: IDTokenLifetime

diff --git a/backend/src/main/resources/i18n/messages.properties b/backend/src/main/resources/i18n/messages.properties
@@ -877,32 +877,32 @@ label.postAuthenticationFlows=Post Authentication Flows
 label.proxyCount=Proxy Count
 label.revocationLifetime=Revocation Lifetime
 label.revocationMethod=Revocation Method
-label.accessTokenLifetime=Access Token Lifetime
-label.accessTokenType=Access Token Type
+label.accessTokenLifetime.oauth=Access Token Lifetime (OAUTH)
+label.accessTokenType.oauth=Access Token Type (OAUTH)
 label.allowPKCEPlain.oidc=Allow PKCE Plain (OIDC)
 label.enforceRefreshTokenRotation=Enforce Refresh Token Rotation
 label.forcePKCE.oidc=Force PKCE (OIDC)
 label.grantTypes=Grant Types
-label.refreshTokenLifetime=Refresh Token Lifetime
-label.resolveAttributes.oauth=Resolve Attributes (Oauth)
+label.refreshTokenLifetime.oauth=Refresh Token Lifetime (OAUTH)
+label.resolveAttributes.oauth=Resolve Attributes (OAUTH)
 label.authorizationCodeFlowEnabled=Authorization Code Flow Enabled
 label.hybridFlowEnabled=Hybrid Flow Enabled
 label.implicitFlowEnabled=Implicit Flow Enabled
 label.refreshTokensEnabled=Refresh Tokens Enabled
-label.accessTokenLifetime=Access Token Lifetime
-label.accessTokenType=Access Token Type
+label.accessTokenLifetime.oidc=Access Token Lifetime (OIDC)
+label.accessTokenType.oidc=Access Token Type (OIDC)
 label.acrRequestAlwaysEssential=Acr Request Always Essential
 label.allowPKCEPlain.oauth=Allow PKCE Plain (OAUTH)
-label.alwaysIncludedAttributes=Always Included Attributes
+label.alwaysIncludedAttributes.token=Always Included Attributes (Token)
 label.authorizeCodeLifetime=Authorize Code Lifetime
-label.deniedUserInfoAttributes=Denied User Info Attributes
+label.deniedUserInfoAttributes.browser=Denied User Info Attributes (browser)
 label.encodeConsentInTokens=Encode Consent In Tokens
 label.encodedAttributes=Encoded Attributes
 label.forcePKCE.oauth=Force PKCE (OAUTH)
 label.IDTokenLifetime.browser=IDToken Lifetime (browser)
 label.includeIssuerInResponse=Include Issuer In Response
-label.refreshTokenLifetime=Refresh Token Lifetime
-label.alwaysIncludedAttributes=Always Included Attributes
+label.refreshTokenLifetime.oidc=Refresh Token Lifetime (OIDC)
+label.alwaysIncludedAttributes.browser=Always Included Attributes (browser)
 label.encryptionOptional=Encryption Optional
 label.IDTokenLifetime=IDToken Lifetime
 label.deniedUserInfoAttributes=Denied User Info Attributes
@@ -918,33 +918,33 @@ tooltip.postAuthenticationFlows=Ordered list of profile interceptor flows to run
 tooltip.proxyCount=Limits use of proxying either to service providers downstream or when requesting authentication from identity providers upstream. This will generally depend on whether a particular protocol supports the feature.
 tooltip.revocationLifetime=The revocation lifetime used when revoking the full chain (see CHAIN above).
 tooltip.revocationMethod=The revocation method: CHAIN refers to revoking whole chain of tokens (from authorization code to all access/refresh tokens) and TOKEN refers to revoking single token
-tooltip.accessTokenLifetime=Lifetime of access token issued to client
-tooltip.accessTokenType=Format of access token. Supported values are ?JWT? or nothing/empty/null implying opaque tokens.
-tooltip.allowPKCEPlain=Whether client is allowed to use PKCE code challenge method plain
+tooltip.accessTokenLifetime.oauth=Lifetime of access token issued to client (OAUTH)
+tooltip.accessTokenType.oauth=Format of access token. Supported values are ?JWT? or nothing/empty/null implying opaque tokens.
+tooltip.allowPKCEPlain.oauth=Whether client is allowed to use PKCE code challenge method plain (OAUTH)
 tooltip.enforceRefreshTokenRotation=Whether to enforce refresh token rotation. If enabled the refresh token is revoked whenever it is used for issuing a new refresh token.
-tooltip.forcePKCE=Whether client is required to use PKCE
+tooltip.forcePKCE.oauth=Whether client is required to use PKCE (OAUTH)
 tooltip.grantTypes=OAuth grant types to allow
-tooltip.refreshTokenLifetime=Lifetime of refresh token issued to client
+tooltip.refreshTokenLifetime.oidc=Lifetime of refresh token issued to client
 tooltip.resolveAttributes.oidc=Whether to resolve attributes during the token issuance process
 tooltip.authorizationCodeFlowEnabled=Whether to enable the authorization code flow
 tooltip.hybridFlowEnabled=Whether to enable the hybrid flow
 tooltip.implicitFlowEnabled=Whether to enable the implicit flow
 tooltip.refreshTokensEnabled=Whether to enable refresh token support
-tooltip.accessTokenLifetime=Lifetime of access token
-tooltip.accessTokenType=Format of access token. Supported values are ?JWT? or nothing/empty/null implying opaque tokens.
+tooltip.accessTokenLifetime.oidc=Lifetime of access token (OIDC)
+tooltip.accessTokenType.oidc=Format of access token. Supported values are 'JWT' or nothing/empty/null implying opaque tokens.
 tooltip.acrRequestAlwaysEssential=Whether to treat "acr" claim requests as essential regardless of request
-tooltip.allowPKCEPlain=Whether client is allowed to use PKCE code challenge method plain
-tooltip.alwaysIncludedAttributes=Specifies IdPAttributes to always include in ID token regardless of response_type
+tooltip.allowPKCEPlain.oidc=Whether client is allowed to use PKCE code challenge method plain (OIDC)
+tooltip.alwaysIncludedAttributes.token=Specifies IdPAttributes to always include in ID token regardless of response_type
 tooltip.authorizeCodeLifetime=Lifetime of authorization code
-tooltip.deniedUserInfoAttributes=Specifies IdPAttributes to omit from UserInfo token
+tooltip.deniedUserInfoAttributes.browser=Specifies IdPAttributes to omit from UserInfo token (browser)
 tooltip.encodeConsentInTokens=Whether to embed consent decision(s) in access/refresh tokens and authorization code to allow for client-side consent storage
 tooltip.encodedAttributes=Specifies IdPAttributes to encode into tokens for recovery on back-channel token requests
-tooltip.forcePKCE=Whether client is required to use PKCE
+tooltip.forcePKCE.oidc=Whether client is required to use PKCE (OIDC)
 tooltip.IDTokenLifetime.browser=Lifetime of ID token (browser)
 tooltip.includeIssuerInResponse=Whether to include issuer -parameter in the responses as specified by RFC 9207. If set to true also consider including authorization_response_iss_parameter_supported to the OP metadata.
-tooltip.refreshTokenLifetime=Lifetime of refresh token
-tooltip.alwaysIncludedAttributes=Specifies IdPAttributes to always include in ID token regardless of response_type
-tooltip.encryptionOptional=Whether the absence of encryption details in a client?s metadata should fail when issuing an ID token
+tooltip.refreshTokenLifetime.oauth=Lifetime of refresh token
+tooltip.alwaysIncludedAttributes.browser=Specifies IdPAttributes to always include in ID token regardless of response_type
+tooltip.encryptionOptional=Whether the absence of encryption details in a client's metadata should fail when issuing an ID token
 tooltip.IDTokenLifetime=Lifetime of ID token issued to client
 tooltip.deniedUserInfoAttributes=Specifies IdPAttributes to omit from UserInfo token
 tooltip.resolveAttributes.oauth=Whether to run the attribute resolution/filtering step